Ok, I merged the changes into my branch und updated the pull request.
The problem I wanted to solve is that JNLP can not be signed (and then be modified). Modifying JNLP files is crucial to dynamic WebStart apps, such as several products of my company. Both Apple and Oracle have open rdars/tickets on the issue which is being discussed on SO and other platforms (see this stackoverflow question).
Using appbundler you can now create an .app container that launches the JNLP file (first copies it to a temporary location) - it will also load updates of the JNLP automatically.
As for security: You are right. Even if a a developer properly signs the .app with an Apple issued certificate. It's more like a workaround to have an app start instantly without bugging the user (every time he downloads the potentially same JNLP) - who is not a developer in most cases - that the JNLP can't be launched and the thing is not signed and so on. I personally think this is safe until Oracle or Apple come up with a better solution.
Despite the security issues: I think for an end-user on a Mac this might be the most convenient solution. They simply download an app which they can permanently store in their Applications. If the app is signed properly (and the servers run on subsequent starts of the app ;) ) everything runs fine right out of the box.
I'm sorry it has taken so long to respond here. I'd like to merge your PR now but unfortunately I've left it so long that there are now conflicts. Would you mind resolving them and then update the PR and I'll merge it before taking any other action?
I once again merged with the original repository. This is due to a change in Java9 that will require a modification on the base code as well: Java changes the version schema and skips several numbers ahead: Java 9 has version "9", not "1.9" so the parsing will have to be modified.